Use cache when JWKS provider is down

[zilinjak]

Hey,
We are building an app that validated requests, we are using JWKS over HTTP. The problem here is:

1. App starts
2. Download keys from JWKS over HTTP
3. The cache of JWKS is out of date
4. Tries to get JWKS over HTTP
5. The JWKS endpoint is down
6. This means that the smallrye-jwt should try to use old keys from cache, but it ends with an error instead.

Can we make sure that the old keys will be used in case that the keys from OIDC endpoint can't be loaded ?

[sberyozkin]

Hi @zilinjak
Is it an exception thrown directly from the Jose4j code itself due to its internal refresh call failing ? Would it be better just to disable this refresh and instead rely on smallrye-jwt refreshing only when it can't find a matching key ?

[sberyozkin]

Hi @zilinjak

So, we need to have a new property to do:

https://bitbucket.org/b_c/jose4j/src/756257eb92352600d5dde08c2b8ed25db13a8952/src/main/java/org/jose4j/jwk/HttpsJwks.java#lines-93

Would be interested to open a PR ?

[sberyozkin]

We have jwksRefreshInterval here. So another property like jwksCacheRetainOnErrorDuration, default 0, I guess also in mins, should be added, and then propagated via JWTAuthContextInfo to be set here

[sberyozkin]

Or even lets call it jwksRetainOnErrorDuration since jwksRefreshInterval does not have Cache in its name, it is implied, ut can be clarified in the property description